Department for Work and Pensions
March 2015
October 2015
0
Contents
Glossary
02
Statement of commitment
04
IMA background
05
Key findings of the assessment
06
Highlights table
11
Recommendations to address risk areas
13
1
The value of information
17
2
Information and supporting technology
26
3
Information risk, governance and oversight
33
4
Records, review and transfer
44
© Crown copyright 2015.
You may use and re-use the information featured in this report (not including logos) free
of charge in any format or medium, under the terms of the Open Government Licence
v3.0
Email enquiries regarding the use and re-use of this information resource to
psi@nationalarchives.gsi.gov.uk
1
Glossary
BSIRO – Business Senior Information Risk Owner
DPO – Data Protection Officer
DRO – Departmental Records Officer
DROID – Digital Record Object IDentification
DSOB – DWP Security Oversight Board
DWP – Department for Work and Pensions
EDSAC – External Data Sharing Advisory Centre
ERMS – Electronic Records Management System
ESA – Employment and Support Allowance
ERM – Electronic Records Management
FARIO – Find and Retrieve Information Online
FOI – Freedom of Information
HMRC - Her Majesty’s Revenue and Customs
IAC – Information Asset Coordinator
IACSEP – Information Assurance and Cyber Security Engagement Programme
IAI – Information Asset Inventory
IAM – Information Asset Manager
IAO – Information Asset Owner
IM – Information management
IMA – Information Management Assessment
IMAB – Information Management Assurance Board
IMC – Information Management Consultant
JSA – Job Seekers Allowance
KIM – Knowledge and Information Management
KIMD – Knowledge and Information Management Division
KIRM – Knowledge, Information and Records Management
NINo – National Insurance Number
PIA – Privacy Impact Assessment
PIP – Personal Independence Payment
PST – Personal Storage Table
RM – Records management
SIRO – Senior Information Risk Owner
2
SLAQ – Series Level Appraisal Questionnaire
SPAG – Strategy Policy and Analysis Group
Stat-Xplore – tool for exploring benefits statistics
WSTB – Welfare Sector Transparency Board
3
Statement of commitment
The following statement was provided by the Permanent Secretary of the
Department for Work and Pensions (DWP). It is published on the Department’s
intranet site.
Dear colleagues
Information is at the heart of everything DWP does, from processing claims for benefit, to
helping people into work, assessing our performance against key targets, tackling fraud
and error, developing policies and forecasting where we need to be in the future.
We also need to make sure that information on DWP customers are protected and used in
a lawful and appropriate way, this often requires difficult judgement calls, most of the time
we get these right but occasionally we do not.
To show the strength of the Department’s commitment to getting these judgement calls
right, I have asked The National Archives to review our information processes and
systems. They have agreed to undertake this task in March 2015. The National Archives
regularly conducts assessments of information management practices and compliance
within government departments.
The report they produce will help me to support all aspects of information management
across the Department so that our information is appropriately captured, managed and
preserved and information risks and sensitivities are appropriately handled.
Yours sincerely
Robert Devereux
Permanent Under-Secretary, Department for Work and Pensions
22 January 2015
4
Information
Management
Assessment
(IMA)
background
The IMA involved a detailed review of supporting documentation followed by
interviews with senior staff, specialists and practitioners in the Department’s London,
Leeds and Manchester offices and including a Job Centre and a Benefits Delivery
Centre. These were conducted between 2 and 12 March.
The following report provides a summary of good practice and risks identified. IMA
reports and departmental action plans are published on The National
Archives’ website at:
http://www.nationalarchives.gov.uk/information-management/manageinformation/ima/ima-reports-action-plans/
5
Key findings of the assessment
1
The value of information
Performance rating

Communicating and realising value
Development area
Managing information as an asset
Good
The Department for Work and Pensions (DWP) recognises the importance and
value of its information and particularly the importance of protecting sensitive
information. It has made excellent progress in the area of information exploitation.
There has been positive support from senior management. For example, both the
Permanent Secretary and Senior Information Risk Owner (SIRO) led a drive to
promote the importance of records management (RM) and of complying with the
print to paper policy.

DWP has an information strategy (2012) in place which the Department has
assured us is being updated, but does not have a central set of goals around
corporate records management which fits within the wider strategic picture. This
should be addressed in parallel to the current updating of the information
strategy.

Although staff recognise the importance of record keeping, they are still not
consistently complying with the print to paper policy. DWP should seek to
establish a senior champion for RM. This will help to raise awareness of the
importance of RM and help promote the message that all staff have an important
role in ensuring that the right records are kept and managed appropriately. See
Recommendation 1.

DWP has made excellent progress in establishing a process for information asset
management and assurance. The Information Asset Owner (IAO) role was
recently relaunched as the Business Senior Information Risk Owner (BSIRO) and
there are well-defined responsibilities for the role. In addition, there are
increasingly effective networks of Information Asset Coordinators (IAC) and
Information Asset Managers (IAM). Information Asset Inventories (IAI) and
6
Information Asset Assurance Returns are regularly updated and reported on by
IACs and IAMs. There have also been real attempts to incorporate information
management (IM) and RM as part of this process; for example, the IAI includes
information about retention and the Information Asset Assurance Returns include
a question on compliance with the Records Management Policy. The majority of
staff have completed the ‘Responsible for Information’ training and DWP are fully
engaged with the Information Assurance and Cyber Security Engagement
Programme (IACSEP).
2
Digital information and supporting technology
Performance rating

Supporting information through technology
Development area
Digital continuity and IT change
Development area
Although DWP manages its customer information well, the picture is less positive
for its ‘corporate’ information. DWP does not yet have an Electronic Records
Management System (ERMS), though there has been an aspiration to implement
such a system for several years, and a print to paper policy is still in operation.
Shared drives are widely used but there is no central Knowledge and Information
Management (KIM) team oversight or control of these. Shared drives are not
routinely well managed locally and they do not fully support the management of
information throughout its lifecycle. Finding of information within business areas
does not appear to be an issue, but sharing and finding information across these
boundaries is often difficult. DWP needs to establish concrete plans to implement
a
central
solution
for
managing
corporate
digital
information.
See
Recommendation 2.

In terms of digital continuity, DWP has a partial view of the corporate digital
information it holds and requirements for RM have not always been part of
projects to introduce new technology. The limitations of the current shared drive
environment, inconsistent adoption of the print to paper policy; and a lack of
oversight of control of corporate digital information, means there is a very real risk
7
that the organisation will not have the information it needs to carry out its
business and may not be able to comply with information legislation and
information assurance obligations. The organisation should devise a plan for
embedding digital continuity (the ability to find, open, work with, understand and
trust information for as long as you need to) into corporate business as usual
processes. See Recommendation 3.
3
Information risk, governance and oversight
Performance rating

Recognising information risk
Development area
Establishing control
Satisfactory
Providing guidance
Good
Measuring impact
Development area
DWP has a solid process in place for managing risk, and information risk is
recognised and managed, at least in terms of the security and protection of
sensitive information. However, risks around the wider management of
information and records are not yet fully recognised within the Department’s risk
management framework. DWP needs to ensure that it defines the risk of failing
to manage its corporate information so that the impact of not capturing or keeping
the information that is needed can be understood at all levels of the business and
managed. The SIRO should have sight of this risk and the actions that are in
place to manage it. See Recommendation 4.

There is a good set of governance structures for information security through the
DWP Security Oversight Board (DSOB) and the Information Management
Assurance Board (IMAB). At present the structures are still maturing and in
particular IM/RM related risk should have greater visibility in both the above
Boards. However, with continued investment of effort from the centre of the
Department plus support from the BSIROs they should provide an opportunity to
bring senior people together and act as a forum for the recognition and
8
discussion of risks to information and mitigations.

DWP has a comprehensive set of KIM policies and guidance covering the whole
of the IM lifecycle, from creation, capture and what to keep, to management,
disposal, Freedom of Information (FOI), data protection and information
assurance. There have been good efforts to promote this across the organisation
in an engaging and simple way through campaigns such as Essential Records
Management and by producing shortened, easy to understand, ‘desk aid’
versions of the guidance. Many of the staff we spoke to were aware of the
guidance and used it.

There are relatively few formal measures in place at present to measure
compliance with the Records Management Policy. A question on RM has been
included in the Information Assurance Asset Returns and business areas are
expected to provide evidence to demonstrate how they are meeting this. This
approach is still maturing and the KIM team should define exactly what it wants
business areas to report on. The Knowledge and Information Management
(KIMD) Division also carry out file audits where over 400 registries are asked to
provide lists of corporate registered files that they hold. If problems are found
then these are escalated back up the management chain. These audits should be
formalised as a method of managing compliance with the Records Management
Policy. DWP should extend the audits to cover digital information; at the moment,
due to key records being kept on shared drives rather than on registered files,
they are only providing part of the picture. See Recommendation 5.
9
4
Records, review and transfer
Performance rating

Oversight of records and selection
Satisfactory
Implementing disposal decisions
Satisfactory
DWP has a robust and well established process in place for the oversight, control
and management of its paper records. Considering that DWP transports, tracks
and manages paper files on almost unrivalled scale across government, Capita
(which manages the paper file stores in conjunction with the KIMD) meets user
requirements and has a 99% success rate of being able to locate files. There is
regular, controlled disposal of paper files. In order to comply with its obligations
under the Public Records Act DWP also has very good processes for the
appraisal, selection, sensitivity review, preparation and transfer of its paper
records, is currently ahead in the transition to the 20-year rule and does not have
a backlog.

If we were assessing paper records alone we would consider DWP to be rated as
good. However, improvements are needed in the management of its corporate
digital information, hence the overall score of satisfactory. The KIM team does
not have any control of the shared drives and has not yet started to consider how
it might appraise, select, sensitivity review and transfer corporate digital
information. Disposal is built into most of the benefits delivery systems but not all.
It is therefore recommended that DWP works towards extending the KIMD
oversight and control of paper records to digital information. The KIMD should do
more to ensure that shared drives are being managed appropriately; in particular
that information of value is being identified and kept for as long as it is needed,
and that information is disposed of once it is no longer required.
10
Highlights table
The following are among the areas of good practice identified at the time of the
assessment. They include systems and approaches that other government
organisations may find helpful in mitigating information management (IM) and
records management (RM) related risks:
Highlights of the 2015 IMA
There is a good process in place for reporting on, and oversight of,
information assets using the Information Asset Inventory (IAI) and the
Information Asset Assurance Returns. The Information Asset Owner (IAO)
role has been refreshed and relaunched as a Business Senior Information
Risk Owner (BSIRO) and there was good practice around the Information
Asset Coordinator (IAC) role and in establishing and maintaining good
networks of Information Asset Managers (IAM). There have been real
attempts to incorporate IM and RM into this process by including retention
information on the IAI and a question on the Information Asset Assurance
Returns around compliance with the Records Management Policy.
The Department for Work and Pensions (DWP) has a well-organised and
successful system for handling Freedom of Information (FOI) and data
protection and particularly effective networks of FOI Focal Points and Data
Protection Officers.
DWP is increasingly proactive in sharing/making information available and
there is a governance structure around this process. For example, it has
established a substantial Data Warehouse which brings together the richest
sources of customer and other public sector data and it exploits these as
11
much as it can. The analytical community brings in their own data and creates
derived datasets from the warehouse. It is also used heavily for the process of
‘data matching’ which is helping to reduce fraud within the benefits/tax
system.
DWP has also developed an online tool called Stat-Xplore, https://statxplore.dwp.gov.uk/, which provides a guided way to explore DWP benefit
statistics. It currently holds data relating to Housing Benefit claimants, the
number of National Insurance Number registrants entering the UK from
overseas, Jobseekers Allowance and Employment and Support Allowance
sanction decisions, and Personal Independence Payments. In future StatXplore will include data on a wider set of DWP benefits.
DWP has a comprehensive set of Knowledge and Information Management
(KIM) policies and guidance covering the whole of the IM lifecycle, from
creation, capture and what to keep to management, disposal, FOI, data
protection and information assurance. There have been good efforts to
promote this across the organisation in an engaging and simple way through
campaigns such as Essential Records Management and by producing
shortened, easy to understand, ‘desk aid’ versions of the guidance.
Process management and oversight of paper records including records review
and transfer is very good. DWP is currently ahead in its transition to the 20year rule and has no backlog of review. They have an experienced and
knowledgeable review team which plans ahead to meet transfer targets and is
using more efficient methods of appraisal and selection, such as the Series
Level Appraisal Questionnaire (SLAQ), in line with The National Archives’
guidance. File audits are also providing the team with an effective way of
tracking management of paper files within the business and tackling issues.
12
Recommendations to address risk areas
Recommendation 1
The Department for Work and Pensions (DWP) should ensure that it has a holistic
strategy for corporate records management (RM) that reflects the value of
information and importance of record keeping has greater profile and recognition
across the organisation. This should be fully aligned with the wider Information
Strategy.
This would be supported by:







Establishing a board level senior champion for RM.
Using the senior champion for RM to promote the strategy across the organisation.
Developing a RM strategy that includes a message to staff at all levels about their
responsibility for RM.
Aligning the RM strategy with the wider information strategy and with Information
Assurance and IT.
Ensuring that work to develop a new Electronic Records Management (ERM)
solution is a core part of this.
Defining critical success factors for the new strategy.
Developing an implementation plan for the strategy.
Recommendation 2
DWP needs to establish concrete plans to implement a solution for managing
unstructured corporate digital information to replace the print to paper policy.
This would be supported by:


Defining business requirements for RM, for example, around search, data sharing,
metadata, access management and disposal, and that they guide the
implementation of an Electronic Records Management System (ERMS).
Collaborating and learning from the experience of other departments that have
recently rolled out ERM solutions. A plan to identify key corporate information on
the shared drives and migrate this to the new ERMS, to freeze shared drives to
13





new content once the ERMS has been rolled out, and switch off the shared drives
once the new system is established.
Training and supporting staff in using the new ERMS.
Ensuring that the new ERMS connects to the email system and make the process
of saving significant emails as easy as possible for staff, automating the process
where possible.
Applying retention rules to Enterprise Vault. For example, one government
department disposes of information in Vault after two years. Making sure staff are
aware of this, and are reminded of the need to save emails of corporate value to
shared drives and/or print off and put on registered files.
Applying retention rules to Lync and making it clear to staff for what exact purpose
they should be using this system.
Ensuring that there is a process for capturing any key corporate information from
Drupal, applying retention rules, and making it clear to staff exactly what they
should be using this system for.
Recommendation 3
DWP should devise a plan for embedding digital continuity (the ability to find, open,
work with, understand and trust information for as long as you need to) into
business as usual processes.
This would be supported by:






Fully recognising and managing risks to the continuity of digital information as part
of the risk management process.
Building digital continuity into the information asset management process as
suggested in the 2011 DWP Digital Continuity Policy.
Surveying digital information held on shared drives as part of the preparation for
moving to an ERMS. This could be done in a similar way to the paper file audits,
asking business areas to report on what is held in the shared drives.
Negotiating a slot to run The National Archives’ Digital Record Object IDentification
(DROID) tool, or similar, would be particularly helpful in determining how much
duplicate information is held and in identifying formats and age of information.
Ensuring that Knowledge and Information Management Department (KIMD) staff
are involved in any IT developments that would have an impact on KIMD
responsibilities from the outset and that business requirements for IM are a core
part of these projects. Business requirements would include, for example, whether
you can add the correct metadata, whether there is adequate search functionality,
whether you can export or dispose of information and manage access restrictions
Ensuring that the need to keep information within benefits delivery systems
14
available and usable is factored into DWP’s plan for implementing digital continuity
as business as usual.
Recommendation 4
DWP should factor IM and RM into the way it defines and monitors information risk.
This would be supported by:



Ensuring that that the risk of not capturing and keeping the records it needs, in the
way that it needs for as long as it needs, is recognised and managed through the
risk management framework.
Ensuring that information risks are discussed at the Information Management
Assurance Board (IMAB) and are given scrutiny by the DWP Security Oversight
Board (DSOB).
Promoting awareness of information risks and how they should be managed.
Recommendation 5
DWP should seek to establish a more effective approach to monitoring and
achieving compliance with IM and Records Management Policy.
This would be supported by:





Establishing a network of information representatives or KIRM advocates across
the organisation. This should include a role description and training and support
from the Knowledge and Information Management (KIM) team.
Using this network to promote KIM policy and processes and provide training and
support for staff on information and records management in business areas.
Building on the work that has already been done to monitor compliance with the
Records Management Policy using the Information Asset Assurance Returns in
particular, further defining what sort of evidence business areas should provide in
order to demonstrate compliance.
Gaining greater assurance on the content of shared drives and the management of
this content by, for example, by extending file audits or building into the Information
Asset Assurance Returns.
Considering rolling out the Essential Records Management campaign of bite-sized
information on IM and RM across other business areas.
15
Recommendation 6
DWP should work towards extending the KIMD’s oversight and control of paper
records to digital information.
This would be supported by:




Exploring the possibility of extending the paper file audits to cover digital
information on the shared drives, and as part of this, ask business areas to report
on disposal.
Ensuring that all digital systems (including benefits delivery systems and the new
ERMS) have disposal built in and that disposal is being actioned.
Ensuring that the KIMD/information advocates in the business are involved in the
creation and management of shared drives.
Beginning to devise an approach for appraisal, sensitivity review and transfer of
digital information, particularly that on the shared drives, drawing on advice from
The National Archives and other government departments’ work in this area.
16
1 The value of information
1.1
Communicating and realising value
Goal: The organisation establishes information’s value in principle and
supports its realisation in practice.
Establishing the importance of information
The Department for Work and Pensions (DWP) recognises the importance and value
of its information and particularly the importance of protecting sensitive information.
The Records Management Policy clearly states that all staff are responsible for
record keeping and clearly sets out which records should be kept, why and for how
long. This is mirrored throughout related policies, guidance and training. DWP is
undertaking a substantial Business Transformation Project and information is an
integral part of this and the vision for how DWP will be operating by 2020 through the
Intelligent Data Use Sharing and Management strand.
The outgoing Senior Information Risk Owner (SIRO) has been engaged with
information management (IM) and in June 2014 submitted a paper on the
importance of record keeping, what should be kept and adhering to the print to paper
policy, to the Executive Team. The Permanent Secretary then wrote to all staff to
remind them of their records management responsibilities. The SIRO chairs the
DWP Security Oversight Board (DSOB), which provides assurance and governance
for all security issues across the Department.
Almost all of the staff we spoke to recognised the importance of the information that
they create as part of their work. There was a particularly strong recognition of this
among those working with customer records at the delivery end of the business.
However, despite the write round from the Permanent Secretary and continual
reminders from the Knowledge and Information Management Department (KIMD),
staff are still not consistently complying with the print to paper policy and are using
the shared drives and email instead. Several interviewees felt that the promise of a
17
digital solution for records management (RM) being ‘just around the corner’ for many
years had ‘put people off’ from printing to paper. Others felt that it just did not fit with
the way they work. Printing off digital records was just an additional task that they did
not have the time to perform.
There was also a feeling that the loss of the Administrative Assistant grades, which
used to be responsible for registered filing, had contributed to the breakdown of the
paper system. Several interviewees felt that more could be done, particularly at
senior levels, to push the message that ‘we are all information managers.’ One
interviewee wanted to see ‘a global emphasis on filing as part of your responsibilities
as a civil servant, like you do in information security.’ Another felt that ‘the whole
Department has to be engaged in IM and RM…there has to be a bottom up as well
as a top-down approach.’ This message should form an important part of any new
RM strategy. In addition DWP would benefit from having an established senior
champion for RM. This role should ideally be at board level and could be the SIRO,
but does not have to be. This would help to ensure that the importance of IM and the
risk to the business if it is not done well is recognised at the highest level, and that
there is someone senior enough to promote this message across the organisation.
See Recommendation 1.
Setting goals for information and its management
DWP is providing direction for many aspects of managing its information. The DWP
has an Information Strategy which was implemented in 2012, and is based around
the seven Cabinet Office information principles. Work on a refreshed information
strategy has now been tied to the emerging priorities of the Business Transformation
Group. The aim is to update the strategy and to ensure that it is aligned with the
2020 digital vision. However DWP does not have an underpinning corporate records
management strategy. DWP should develop such a strategy that includes a
message to staff at all levels about their responsibility for RM. The strategy should
set clear critical success factors and have a clear plan for implementation This
should be aligned with the work to establish an Electronic Records Management
(ERM) solution for corporate records. See Recommendation 1.
18
Enabling public access to information and supporting transparency and re-use
DWP has a well-organised and robust system in place for handling Freedom of
Information (FOI) requests, which is borne out by FOI figures. DWP reported having
received over 1,000 requests in Q3 2014 – in fact, it has received over 1,000
requests every quarter since Q3 2012. Of those received in Q3 2014, 90% met the
20-day deadline and 90% were answered in ‘time’ (meeting deadline or within
permitted extension). From Q1 2013, DWP has consistently achieved a figure of
90% answered in ‘time’ for every quarter. In Q3 2014, 65% of resolvable requests
were granted in full – this is above the average for all monitored bodies (49%). 28%
were withheld in full, which is slightly below the average for both departments of
state (33%) and all monitored bodies (32%).
Both FOI and data protection activities are coordinated centrally but the process of
handling individual requests is devolved to networks of FOI Focal Points and Data
Protection Officers (DPOs) and Deputy DPOs. Staff we spoke to felt that this process
works well because the business has greater knowledge of its information and likely
sensitivity issues. Requests are logged and tracked using a workflow system,
records of the process are kept and retention is built in. The central FOI and Data
Protection teams provide advice, guidance and support to FOI Focal Points, DPOs
and Deputies via the intranet and through regular telekits or video conferencing
sessions. The central teams are also looking at innovative ways of extending their
reach, for example, FOI Focal Points have a virtual team and the Data Protection
team are helping DPOs to help each other by setting up mentoring sessions. It is
recommended that the Knowledge and Information Management (KIM) team
investigate the possibility of using some of these methods when establishing an
effective network of Knowledge and Information Management Department (KIMD)
advocates. This is good practice.
Despite the sensitivity of much of its information, DWP is striving to proactively
publish as much data as possible and has made real progress in this area. This is
good practice. As at 23 February 2015, there were 4,086 publications by DWP on
19
GOV.UK, 203 of which were classed as transparency data. The Department has
published 292 datasets on data.gov.uk. The website gives the Department an
average score for openness of 0.2 and has received a total of 49 stars.
There is recognition of the potential tensions between transparency and security and
these two areas are together under one Director General Command. DWP has
established a Welfare Sector Transparency Board (WSTB). This is external facing
and includes financial people from work programme contracts and representatives
from blue chip companies. All records of this group are published. There is also an
Open Data Working Group which sits underneath the WTSB and includes
representatives from their main consumer groups. This group helps DWP to
understand what consumers of their information want and understand their priorities
as well as acting as a forum to discuss what they can do better as an organisation
and where changes can be made.
There is a good governance structure in place around the sharing of information. All
external data sharing requests from other Government Departments come through
the External Data Sharing Advisory Centre. There is also a Data Ethics Committee
consisting of internal and external members and chaired by Head of KIMD.
The Department has established a substantial Data Warehouse which is a rich
source of customer data, lawfully obtained from its own and other public sector
sources. DWP exploits this in order to fulfil its functions and additionally to forecast,
evaluate, develop polices and processes, produce fiscal frameworks and predict
trends and future needs in accordance with its own legislation.
The information is derived from DWP, Her Majesty’s Revenue and Customs
(HMRC), Northern Ireland Social Security Agency and Local Authorities but is
enriched with other public sector data where this can be reused. It is therefore a
highly sought after resource across government statisticians and analysts and the
wider analytical community.
Access to this is controlled and wherever possible anonymised for further use.
Where personal data needs to be used it is done so in accordance with strict
procedures, processes and controls. The environment enables analysts to develop
20
further datasets from and within the warehouse where further use is likewise
controlled.
It is used by other government departments such as HMRC and also used heavily
for the process of ‘data matching’ which is helping to reduce fraud within the
benefits/tax system.
DWP has also developed an online tool called Stat Xplore https://statxplore.dwp.gov.uk/ which provides a guided way to explore DWP benefit statistics. It
currently holds data relating to Housing Benefit claimants, the number of National
Insurance Number registrants entering the UK from overseas, Jobseekers Allowance
and Employment and Support Allowance sanction decisions, and Personal
Independence Payment. In future Stat-Xplore will include data on a wider set of
DWP benefits.
1.2
Managing information as a valued asset
Goal: The organisation protects, manages and exploits its information
assets to achieve maximum value.
Defining and cataloguing information assets
DWP has made excellent progress in establishing a process for information asset
management and assurance. According to the Information Asset Manager (IAM)
Guide, which is available on the intranet:
An information asset is any piece or collection of information, stored within the
DWP estate, defined and managed as a single unit so that we can understand
it, share and protect it effectively and get the most value from it. It is
something we cannot replace without cost, time, skill and resources.
It may be customer data or employee information but it is not only about
personal information. It includes any type of information that, if lost or
21
misused, could affect our ability to deliver services, or could damage the
Department’s reputation e.g. commercial documentation.
This is a good description that reflects the government definition of an information
asset and ties in with the DWP Records Management Policy and related guidance
and training. The fact that it explicitly states that it is not just about personal
information is very helpful, as we have seen information asset approaches that are
based largely around only this type of information. The description provides a good
basis for building IM and RM into the asset management process and encourages
business areas to think about information in its widest sense.
Each Business Senior Information Risk Owner (BSIRO) has their own Information
Asset Inventory (IAI), which is the DWP equivalent of an information asset register.
IAMs are responsible for reviewing and keeping IAIs up to date and the Information
Asset Coordinators (IAC) oversee this process.
DWP uses IAIs to identify and track its information assets. There is a standard IAI
template available on the intranet. This is quite detailed and includes details about
the system/asset, owners and contact details, data transfer where relevant, what
type of information the system/asset contains, accreditation, the impacts on
confidentiality, integrity and availability and retention information. IACs are
responsible for checking that IAIs are populated and kept up to date. Staff we spoke
to reported that the quality of information in these varies (the example we saw was
detailed), some are very good, some less so, and one IAC said that they often had to
chase IAMs to get retention information added. The IAI is recognised as an important
tool for DWP and one interviewee working in the area of information exploitation said
‘the Department needs to know what we hold so we can properly exploit it.’ This is
good practice.
Ownership of information assets
The BSIRO role was established in 2014 and built on the existing role of IAO. This is
a senior role, usually at Director level, though it has also been applied to particularly
important projects. There is a role description/performance objective for BSIROs
which states that they are responsible for:
22

Demonstrating professional and visible leadership, ensuring senior
management focus on all information management, assurance and
security-related issues;

Leading and fostering a culture that values, uses and protects information
for the public good, through proactive communication;

Taking the lead for the effective management and mitigation of information
risks, including the maintenance of a business-specific information risk
register and ensuring individual business risk decisions are consistent with
the DWP information risk appetite;

Overseeing the management, reporting and escalation of information or
security incidents, ensuring that breaches are dealt with fairly and
consistently; and

Providing an appropriate level of assurance to the DWP SIRO through
endorsement of the through-year information security and assurance
reports.
The BSIRO guide states that they need to know:

What information is held in their part of the business

In what format information is held, transferred and destroyed

What information is added or removed

Who has access to information assets and why

Who is responsible for managing those processes within the business

What are the risks to the information
BSIROS are expected to attend and participate in the Information Management
Assurance Board (IMAB) meetings. Staff we spoke to said that these meetings
provided an opportunity for BISIROs to provide updates and to share best practice,
lessons and discuss points of accountability. One BSIRO who was relatively new to
23
the role reported that they had ‘buddied’ up with BSIRO from another Directorate to
learn more about the role in practice.
Given their seniority, it is recognised that BSIROs will not be able to be involved in
the day to day running of this process. They are therefore supported by IACs and
they, in turn, are supported by networks of IAMs across the business. IAMs are
responsible for compiling and maintaining the IAIs and update them twice a year.
IAMs are also responsible for gathering and sending evidence for the twice-yearly
Information Asset Assurance Returns to their IAC. The IACs coordinate this process
and are responsible for passing Information Asset Assurance Returns to the BSIRO.
The IACs we spoke to were committed to the role and proactive both in terms of
fulfilling their information assurance reporting requirements but also in coordinating
networks of IAMs in their business areas and providing training, updates and
support. One IAC described how they provide links to training and guidance and
provide training sessions for the IAMs and are considering the possibility of rolling
this out to IAMs across DWP. As is often the case these responsibilities are
something that IACs and IAMs do on top of already busy day jobs. The level of the
IAM role varies throughout DWP, according to one IAC, it should be at Senior
Executive Officer level and there is some concern among IAMs about balancing their
work with the demands of the role and awareness of importance of this work.
The Information Asset Assurance Returns are comprehensive and include questions
on five of the six areas that are reported on annually across DWP: leadership and
governance, training education and awareness, information risk management,
through life information assurance measures and assured information sharing. In
terms of a sixth area, compliance, an appropriate checking regime is being
developed to demonstrate compliance with departmental policies and procedures.
The returns are more than just a box ticking exercise, as business areas are
expected to include evidence to demonstrate how they have met their obligations.
The example we saw has a detailed response and evidence for each question. DWP
has also attempted to build IM and RM into the Information Asset Assurance Returns
by adding a question about whether the DWP Records Management Policy is
applied appropriately. This is a positive start but as it is quite high level it is
recommended that some KIM staff work with Information Assurance to further define
24
exactly what is meant by this question and what evidence is required, to enable IACs
and IAMs to provide a more useful response.
DWP is fully engaged with the Information Assurance and Cyber Security
Engagement Programme (IACSEP) run by The National Archives. The IACSEP
team reported that they have trained a number of the BSIROS and have also hosted
an away day for IAMs. The DWP Head of Security and Business Continuity attends
all their events and contributes to the e-newsletter.
25
2
Information and supporting technology
2.1 The technology environment
Goal:
The
technology
environment
supports
the
management,
protection and exploitation of information.
Corporate storage of information
The Department for Work and Pensions (DWP) does not yet have an Electronic
Records Management System (ERMS) and a print to paper policy is still in operation,
though there has been an aspiration to implement such a system for several years.
Plans to bring in a collaboration tool and in the longer term use as an Electronic
Records Management (ERM) solution, were halted at the end of 2014. DWP is now
aiming to build a system both for collaboration and information management (IM)
and records management (RM). According to one interviewee consideration has
been given to go open source as it will ‘give DWP the flexibility to work in the way
that they need to.’ This work should form a core part of a new RM strategy. DWP
should ensure that it has clearly defined its business requirements for IM (for
example, around access, disposal, and search), and that these guide the
implementation of the new ERMS. In addition, it should also make contact with and
learn from the experience of other departments which have recently rolled out new
ERM solutions. A lot of time and effort was spent preparing to bring in the
collaboration tool including, for example, creating a new file plan. As this work was
function-oriented it can be reused for whatever new system is chosen. See
Recommendation 2.
Shared drives
In the absence of an ERMS, shared drives are used to store and manage
unstructured information. These have been in existence for around 20 years and
staff increasingly use them to store key corporate information rather than printing it
26
off and putting it on registered files. There is some brief central guidance but
decisions about how shared drives are structured and managed are made at the
local level. The Knowledge and Information Management Department (KIMD) has no
oversight or control of the shared drives and their influence here is limited. For
example, IT handles requests to set up new shared drives without recourse to KIMD.
Access to individual shared drives is limited to the relevant business areas so the
information within them is not accessible across DWP. According to one interviewee
the only real way of sharing information is by email so there are ‘multiple versions all
over the place with no control over and no responsibility for the finished article and
what is done with it.’ Another stated that everyone has their own way of doing things,
that personal file naming was frequently used and that there were files that needed
to be disposed of but no time to do it. There were also concerns around a lack of
‘future proofing’ - for example, if teams are reorganised it would be difficult for
successors to understand what information is in the shared drives and how it is
organised.
Disposal from shared drives has to be performed manually by individual business
areas and practice is patchy. There is also an issue with ‘orphaned’ shared drives
when teams disband and there has been pressure from IT to delete these shared
drives. KIMD has had to insist to IT that they review the drives before deletion as
they may contain key corporate records.
There was a general recognition amongst KIMD and IT that the shared drives would
need to be frozen and eventually switched off to ensure take up of the new system.
In addition to this, DWP should ensure that there is a plan to identify and migrate key
corporate information from the shared drives to the new ERMS and to dispose of
what is no longer required. This work needs to be a concrete part of plans to
establish an ERM solution as part of a new information strategy. See
Recommendation 2.
Benefits delivery systems
27
The majority of DWP’s digital information is held within line of business systems
designed to manage the process of benefits delivery. The records that reflect the
benefits delivery process are increasingly digital – either because they are
received/created digitally or scanned into the Document Repository System. Some of
these rely on old technology and many of them interconnect (see Section 2.2). Most
of these systems have disposal processes built in, but there are some exceptions to
this. (see Section 4).
Emails
According to the Email Management Desk Aid, emails must be ‘maintained as
records in accordance with the Records Management Policy.’ There are limits on
email inbox size of 200mb but some staff we spoke to said their limit had been
increased. Use of Personal Storage Table (PST) files to store emails was
widespread despite a warning that these are not supported and there is a real risk
that key corporate information will be lost. One interviewee said ‘I know I shouldn’t
use PST files, but I do.’ Enterprise Vault will soon be implemented to try and
discourage the use of PSTs by providing backup storage of email. According to
policy, ‘significant’ emails and attachments should be printed out and put on
registered files. Some staff said that they saved significant emails to their shared
drive but very few said that they printed emails out to put on registered files. There is
a risk therefore that key corporate records are not readily accessible to staff or being
kept for the requisite period of time and that emails of potential historical value will
not survive to be selected and transferred to The National Archives. The Department
has also recently rolled out Lync for instant messaging, although they have yet to
make decisions about how long to keep the messages within this and to issue
guidance on what Lync should be used for. DWP should ensure that the new ERMS
connects to the email system and make the process of saving significant emails as
easy as possible for staff, automating the process where possible. Retention rules
should be applied to Enterprise Vault (for example, one government department
disposes of information in Vault after two years) and staff should be reminded of the
need to save emails of corporate value to shared drives and/or print off and put on
28
registered files. Retention should also be applied to Lync and staff need to be clear
on exactly what they should be using this for. See Recommendation 2.
Collaboration systems
DWP has been using Yammer as a collaboration tool for around two years. This has
been replaced by Drupal. There is a user guide for Yammer which states that
information within the system is considered to be part of the DWP record, however
this is for Freedom of Information (FOI) purposes. In practice staff can delete posts
as they see fit. The Records Management Policy states that only ephemeral
discussions can take place on Drupal therefore it is not anticipated that significant
posts will be on there. However, it is intended to make the point clearer in the next
review of the policy. In implementing Drupal, DWP should ensure that there is a
process for capturing any key corporate information for the record and that retention
rules are applied. They should also ensure that staff are clear on exactly what they
should be using the system for. See Recommendation 2.
Finding, accessing and protecting information
Although many staff we spoke to managed to find and share the information they
needed within their own business area, there are barriers to information sharing
across teams, as information held within shared drives, email inboxes and PST files
is not accessible across the organisation. Information sharing across teams is largely
done by email. The implementation of an ERMS, a well-structured and easy to use
file plan; and the eventual closure of the shared drives has the potential to improve
the situation as long as it is done well. Capturing the right metadata will also help to
improve the findability of information both in the new ERM solution and in terms of
how staff are naming information on the current shared drives. DWP should also
ensure that the new system has sufficient search functionality and that staff know
how to get the best out of this. See Recommendation 2.
The shared drives present some issues around access permissions where staff have
moved business areas but can still access the shared drive of their former team. It is
29
the responsibility of business areas to keep track of who can and cannot access their
shared areas. In contrast there seem to be good controls around access and
privileges for benefits delivery systems which contain large amounts of sensitive
personal data. Interviewees were generally confident that systems were set up to
keep information secure. For example, according to one interviewee ‘Customer
Management System (CMS) is not a general access system. Only certain people
have access and what they can see depends on their privileges.’ In rolling out its
new ERMS, DWP should ensure that access controls can be applied and
maintained. See Recommendation 2.
2.2 The continuity of digital information
Goal: The organisation is taking proactive steps to ensure the continuity
of its information, over time and through change.
Oversight of information
DWP has a Digital Continuity policy produced in 2011. This is very comprehensive
and covers areas such as risk assessment and mitigation and the use of Information
Asset Inventories (IAI) to record and manage this, applying retention policies and
complying with security standards. The policy was aimed at operational and
transactional systems, analytical digital datasets, end user computing (EUC)
applications and web content. It excluded digital information that should be printed to
paper and put on registered files. It was unclear exactly how far this policy had been
implemented across the business. The sample IAI we were provided with does
include a risk rating for confidentiality, integrity and availability but this is from an
information assurance perspective rather than digital continuity. Digital continuity
risks are not yet fully defined within the DWP risk management process (see Section
3). One interviewee said that there is an aspiration now to move away from a
standalone policy and ensure that digital continuity is built into business as usual but
it was not clear how this would happen. It is therefore recommended that DWP
devise a plan for implementation. The plan should cover all digital information,
30
including that on shared drives, as DWP cannot guarantee otherwise that significant
corporate information has been printed and put on registered files. See
Recommendation 3.
There has been work in conjunction with DWP’s IT supplier to map the technology
environment, which has enabled a better understanding of the applications in use
across the organisation and their functions. DWP only has a partial view of the digital
information it holds, which is largely due to the lack of oversight of information within
shared drives. It is recommended that DWP survey the digital information held on
shared drives. This could be done in a similar way to the paper file audits (see
section 4), asking business areas to report on what is held in within the shared
drives. Negotiating a slot to run Digital Record Object IDentification (DROID)
software (or a similar tool) over the shared drives would also be helpful particularly in
terms of determining how much duplicate information is held and identifying formats
and age of information. Understanding what information you hold and identifying
what needs to be migrated is an important part of moving to an ERM solution and
should form part of DWP’s work to move to a new ERMS. See Recommendation 3.
Digital continuity planning/IT change
In the past, IM and RM requirements have not always been given the right emphasis
in IT projects. Going forward, DWP should ensure that KIM considerations are
routinely part of plans to bring in new systems from the outset and that business
requirements for IM (for example, can you add the correct metadata, is there
adequate search functionality, can you export or dispose of information, can you
manage
access
restrictions)
are
a
core
part
of
these
projects.
See
Recommendation 3.
There is good practice around ensuring that information in benefits delivery systems
remains available and usable. One interviewee described their work around the
Customer Information System (CIS), which provides a single and accurate view of
key data held for all DWP customers, is at the heart of the Department (101 million
customer records). The CIS provides a picture of a customers business with DWP,
31
enabling the collection of personal customer information only once and sharing with
DWP systems as well as other government departments. It is the master system for
this information, connects with 40 other systems and there has never been a
fundamental failure. DWP believes this is down to ‘good design based on
requirements, comprehensive assurance and testing and a good relationship with
supplier.’ CIS is ten years old but the Department is remediating the hardware and
moving it to the most up to date version of Oracle by next year. Due to the number of
benefits delivery systems used across DWP, it was not possible to establish whether
all systems were being managed and maintained in this way and certainly several
interviewees raised concerns about the age of the systems. However, there did
seem to be a general recognition of the importance of keeping this information
available as it was crucial in carrying out DWP’s core business functions. Also, some
of the systems are simply being maintained in the short term, as they will ultimately
be superseded by Universal Credit. DWP should ensure the need to keep
information within benefits delivery systems available and usable to be factored into
DWPs overall plan for implementing digital continuity as business as usual. See
Recommendation 3.
32
3
Information risk, governance and oversight
3.1 Recognising information risks
Goal: The organisation defines and manages information risks to
minimise threats and maximise opportunities
Documenting and defining information risks
The Department for Work and Pensions (DWP) has nine risk categories: strategy
risk, governance risk, financial risk, legal and crime risk, change risk, customer
service and operational risk, information risk, people risk and communication risk.
Information risk is described as:
Risks arising from inadequate management of information used to support
service delivery, decision taking in line with accountabilities and to ensure
delivery of DWP and government objectives.
There are six categories of risk associated with this: confidentiality, integrity,
availability, economy, effectiveness and efficiency.
In practice, information risk tends to be defined as risks to the security of information,
particularly sensitive personal information. The risks detailed on the Information
Management Assurance Board (IMAB) risk register reflect risks around the
protection, security and sharing of information, and around the physical loss or
corruption of paper information. In relation to this, it recognises a range of potentially
significant consequences including reputational damage, legal actions, sanctions or
financial penalties. However, there is nothing on the risk of not capturing and
keeping the records it needs, in the way that it needs for as long as it needs. For
example, the risk that significant corporate information is not being captured onto
registered files but being kept on shared drives is not reflected here, nor are risks
around not being able to access or use information help within legacy systems.
33
The impact of a records management (RM) failure may have a significant effect at a
team or even at an organisational level if information is not available in the way that it
should be. The records review by Sir Alex Allan (2014) emphasised the importance
of organisations to be able meet obligations for the appraisal and review of records.
In the short to medium term there can also be significant impact in business terms if
a Department cannot justify or explain decisions that have been taken or does not
dispose of information when it needs to. However, DWP is not currently subjecting
information management or RM- related risks to scrutiny or monitoring processes to
manage them through the risk management framework. As a first step, DWP needs
to ensure that it defines the risk to the Department of failing to manage information
so that the impact of not capturing or keeping the information that is needed can be
understood and managed at all levels of the business. The Senior Information Risk
Owner (SIRO) should have sight of this risk (via DWP Departmental Security
Oversight Board (DSOB) and IMAB) and the actions that are in place to manage it.
See Recommendation 4.
Implementing an information risk management approach
DWP processes personal data on a very large scale. It follows a four-stage approach
to managing risk:

Identify risks, causes and consequences and document them on the risk
register.

Assess the potential impact and likelihood of each risk, prioritise (on a risk
register) with inherent and residual risk scores, and a documented
understanding of existing controls to mitigate risk and the effectiveness of
those controls.

Agree a strategy/approach for addressing key risks, identify owners and
document on the risk register.

Regular risk reporting to management, for example, reports to executive
management, summarising the key risks and risk portfolio of the Department
as a whole.
34
Most risks are managed at strand/project level. However, escalation is encouraged
when the risk cannot be managed effectively at that level, or where control is outside
the area / direct influence of the Risk Owner and a decision is required at a more
senior level. The Escalating Risk guidance also states that risks can also be
escalated for communication only, to advise senior management that a risk with a
potentially significant impact exists and, where possible, provide advice on how it is
being managed. In all circumstances it is for the senior manager to ensure that
sufficient mitigation is put into place or, where the risk is significant, to consider
whether the information should be used. In some circumstances it may be
appropriate to highlight separately to the Business Senior Information Risk Owner
(BSIRO) or SIRO that a risk is considered to be so high that it is, for example,
unlawful. It is important that significant risks have adequate visibility at a senior level.
All projects have to complete a Privacy Impact Assessment (PIA) that is designed to
flush out key risks to information. This has three effects: compliance with Cabinet
Office directive for information use and accountability, good practice as identified by
the Information Commissioner, and provides a public facing document should there
be a request under the Freedom of Information Act.
The IMAB offers a useful forum for senior business representatives to surface and
discuss information risks in their capacity as BSIROs. The BSIROs we interviewed
suggested that although information risks were meant to be covered at IMAB, in
practice there was little discussion of this. Above this, the DSOB ‘heat map’ is
designed to map all security and information risks at a high-level. However, on the
version we were given IM or RM risk does not appear to feature either as a
standalone risk or as a contributory factor in individual security risks. We understand
that information security is on the agenda for every Audit Committee meeting, with
one interviewee noting that the committee recognised it was an area that it needed
to understand and had to be on top of. However, here again information and records
management related risks are not yet receiving scrutiny. DWP has an excellent
range of controls in place for information security, and a good set of structures for
monitoring through the DSOB and the heat map, but it should build IM and RM risk
into this process. In overall terms, DWP needs to be confident that strategy is in
35
place that prioritises IT systems as a means of supporting information, and that risks
have been identified. See Recommendation 4.
36
3.2 Establishing control
Goal: The organisation has effective governance structures in place that
foster communication and strategic planning.
Governance structures
DWP has a good governance structure in place for information assurance and IM.
DSOB provides assurance and governance for security issues across DWP. It sets
the direction for security strategy, concentrating on the big issues and key risks for
the Department, and is the strategic decision-making body and escalation route for
significant security issues. The Board’s remit encompasses all aspects of
departmental security: strategy, governance, technology, operational, information,
people, process and risks. DSOB is chaired by the SIRO and its membership
consists of, Digital Transformation Director General, IT Director, Operations Director,
Universal Credit Programme Director, Chief Security Officer and other attendees
such as the Chief Technology Officer, Departmental Security Officer and Chief
Internal Auditor.
IMAB reports into DSOB and its purpose is to:

oversee policy, guidance, support and assurance relating to information
management and security; and

ensure that DWP and its arm’s-length bodies are adhering to legislation, other
mandatory requirements and central guidance; and pursuing best practice in
appropriately balancing their need to protect and exploit information while
delivering Departmental objectives.
IMAB is currently chaired by the Director of Data and Analytics and its membership
is largely made up of BSIROs. This is good practice. At present the governance
structures are still maturing and in particular information risk should have greater
37
visibility in both boards. IMAB and DSOB with continued investment of effort from the
centre of the Department plus support from the BSIROs, they should provide an
excellent opportunity to get senior people together and act as an important forum for
the recognition and discussion of risks to information and mitigations.
At the time of this assessment, the SIRO role was in the process of moving to the
Director General for Technology. The incoming SIRO recognises the importance of
IM and requested that the Directorate which hosts the Knowledge and Information
Management (KIM) function be moved to Technology. This has now been
implemented. Staff we spoke to as part of the assessment felt this to be a positive
move and, in particular, thought it would help to ensure that KIM considerations are
recognised and incorporated in IT projects from the start.
Supporting the business
The Knowledge and Information Management Department (KIMD) sits within the
Data and Analytics Directorate. This and the Security Directorates have moved from
the Finance Group to Technology which should improve links with IT (seen as a
positive move by staff). The KIM division consists of the following areas: Freedom of
Information (FOI) and Open Data, Data Sharing and Data Protection Policy, Records
Management, Information Strategy and Data Governance, External Data Share
Advice Centre and DWP Library Services. The Departmental Records Officer (DRO)
leads the KIRM team. Focus for the team in the past year has been around
preparing for a collaboration tool (to include Electronic Records Management (ERM)
functionality) , improving compliance with the print to paper policy, paper reduction
and retention policy.
Due to the size of the organisation, KIMD support to the business is provided largely
through guidance and training given on request. Areas such as FOI and Data
Protection rely on networks to carry out their work (see Section 1) and KIMD too
would benefit from an effective network of information representatives. This would
improve the reach and impact of the KIMD in the business (see ‘Support networks’
on page 40).
38
39
Support networks
DWP does not yet have an effective network of Records Management (RM)
representatives out in the business. There are Nominated Contacts but in practice
these are used largely as a point of contact for the paper file audits. There is an
aspiration to establish a network of KIMD advocates across the organisation and it is
strongly recommended that DWP works to make this a reality. This could be by
establishing a new network or building on one that already exists, for example, this
could be built into the role of the IAMs. Networks of this kind, particularly in very
large and geographically distributed departments like DWP, are essential to extend
the reach of the KIMD and help to promote, implement and monitor KIM policy and
practice. They also play a crucial role in the implementation of ERM systems, helping
to promote the system and train and support staff in their business areas. There is
some good practice around networks developed for FOI and Data Protection and
information assurance (see Section 1) that DWP can draw on. Also, a KIM
Champions network has been established within Strategy Policy and Analysis Group
(SPAG). These Champions develop an action plan assessing how good KIM practice
is in their area and how to improve it. There are also monthly meetings to discuss
issues and share best practice. See Recommendation 5.
3.3 Providing direction
Goal: The organisation gives staff the instruction they need to manage,
protect and exploit information effectively.
Knowledge and Information Management policy and guidance
DWP has an up-to-date Records Management Policy which is available on the
intranet. This covers principles around keeping corporate and benefits records
including the print to paper policy, assurance and compliance, where documents
should be stored for and how long and KIM contacts. It also clearly states that:
40
All staff have a responsibility to keep records of the decisions they make, the
advice they give, anything they do in the course of their work if it is significant.
The policy makes it clear that the print to paper approach is still in operation and
must be followed:
All ‘significant’ corporate records must be printed to paper. Any electronic
document, including emails and Intranet documents, must be printed to paper
and put in a Registered File or Corporate Record Box as soon as it has been
identified as a ‘significant’ record.
There is a wealth of other KIM policies and guidance covering all aspects of the RM
lifecycle. These are all available on the intranet and many of the staff we spoke to
knew about them and used them. Much of the guidance has also been broken down
into ‘desk aids’ to make it easier to understand and help staff have the guidance to
hand as they carry out their work. This is good practice.
There have been concerted efforts by the KIMD to raise awareness of the Records
Management Policy and promote the guidance. Records Management Extra gives a
fascinating overview of the life of a registered file from what records staff should be
keeping, through the stores at Heywood, then the selection, preparation and transfer
process and finally preservation at The National Archives. The Essential Records
Management campaign consisted of bite-sized chunks of content issued over five
weeks for staff within Finance Group on subjects such as the importance of RM and
dispelling myths about record keeping, the print to paper policy, disposal and life of
registered file, Find and Retrieve Information Online (FARIO) system, roles and
responsibilities for KIM, The National Archives, FOI and Parliamentary Questions.
This is good practice. There is an aspiration to roll this out across other business
areas within DWP and the organisation should definitely pursue this. See
Recommendation 5.
What to Keep
41
DWP has produced some good general guidance on what to keep and about the
type of documents that should be kept for the record. The ‘What to Keep Guide’
gives high-level guidance on the types of records that should be kept and advice on
what should be put on a registered file. There is also a desk guide on ‘What we
should have kept May 2010-2014’ which provides a list of the work areas/activities
that should be stored in Registered Files as a departmental record. These principles
are mirrored throughout the KIM policies and guidance described earlier. They have
also developed an organisation-wide disposal schedule covering key types of
records found across DWP. What to Keep is also covered by KIM training and in
guidance campaigns such as Essential Records Management and Records
Management Extra.
In a separate but related piece of work, the Pace team in the Operational Excellence
Division had worked with the KIM team to map the business process for paper
customer records. They examined the whole process and the record outputs in order
to create a ‘blueprint’ for the customer journey. They are now creating guidance and
desk aides and looking at how they can monitor whether staff are following this. This
is good practice.
There was a good recognition among staff we spoke to of the need to keep records
of their work. We found evidence that staff were using the guidance and one
member of staff when asked whether there was any guidance to help them decide
what information had value, referenced the desk guidance that he had been pointed
to by a member of his team and said that he had it on his desk. In particular there
seemed to be very clear knowledge about what customer records needed to be kept
at the delivery end, where and how long for. In terms of its corporate information
(non-customer information) the key issue for DWP is not ‘what’ to keep but ‘where’ to
keep. Many staff we spoke to were keeping records on the shared drives rather
printing them to paper and putting them on registered files as instructed. Several
members of staff reported a particular issue around the management of project
records. One member of staff on taking over responsibility for a particular project
said it took him six months to piece together the records of that project from various
42
sources such as shared drives, email, personal drives, and registered files. Some
staff we spoke to suggested that there was probably a tendency to keep too much;
for example, one interviewee felt that the problem was ‘not a lack of documentation
but seeing the wood for the trees’, another suggested that ‘civil servants don’t
destroy anything’ and DWP was no exception.
Providing training
The KIRM team provides training in IM and RM on request and it is only partially
included in induction. The quality of the training presentations we reviewed was
good. For example, the Records Management Introduction gives an overview of
what records are, why it is important, how DWP does this, the various roles involved
and responsibilities of staff for record keeping. All staff should receive at least a
basic level of KIM training as highlighted in section 6 of the Lord Chancellor’s Code
of Practice on the management of records issued under s46 of the Freedom of
Information Act 2000.1 DWP is a large department, distributed across many different
sites and it would be unrealistic to expect a comparatively small KIRM team to
provide ‘face to face’ training to all staff. A network of information representatives in
the business could help to delivery this training/reinforce the learning (see Section
3.2). Training doesn’t have to be face to face; telekits, video conferencing, e-learning
and the intranet could also be employed to share expertise and knowledge and
ensure that key messages are communicated. See Recommendation 5.
Training will be particularly crucial during the rollout of a new ERMS. The importance
of the cultural side of a technology change should not be underestimated, as
insufficient training and support is often a key factor in unsuccessful ERM
implementations. DWP should ensure that rollout is accompanied by a programme of
mandatory training on how to use the system, ‘floor walking’ and helplines. Again,
information representatives in the business will be crucial to the successful delivery
of a new ERMS. See Recommendation 2.
1
http://www.justice.gov.uk/information-access-rights/foi-guidance-for-practitioners/code-of-practice
43
All staff we spoke to knew about the Responsible for Information online training and
why it was important and had attended this as required. Figures show that in 2014
around 71% of staff completed and passed the training.
44
3.4 Measuring impact
Goal: The organisation measures performance in practice and takes
informed risk-based action as a result.
There are relatively few formal measures in place at present to measure compliance
with the RM policy. A question on RM has been included in the Information Asset
Assurance Returns and business areas are expected to provide evidence to
demonstrate how they are meeting policy. This approach is still maturing and further
detail could be given about what sort of evidence business areas needs to provide.
(see Section 1 and Recommendation 5). The KIRM team also carry out twice-yearly
file audits where 400+ registries are asked to provide lists of the registered files that
they hold. If problems are found then these are escalated back up the management
chain. DWP should explore the possibility of extending these audits to cover digital
information on the shared drives (see Section 4 and Recommendation 5).
45
4
Records, review and transfer
4.1 Oversight of records and selection
Goal: The organisation understands the value of its records and can
consistently identify those with enduring historical value.
Position of the DRO
The Departmental Records Officer (DRO) heads up the Knowledge Information and
Records Management (KIRM) team which consists of seven people (including the
DRO). Priorities are around creating RM policies, guidance and training, retention
and disposal, selection, sensitivity review and transfer and overseeing the paper file
audits. At present the review team is almost completely focussed on paper records
and it is unclear how an increased role in managing digital information will impact on
their work.
Oversight, control and use of records
The Department for Work and Pensions (DWP) transports, tracks and manages
paper files on an almost unrivalled scale across government and the vast majority of
this is customer information required for the process of delivering and administering
benefits. DWP holds 57 million paper files and around four million of these are ‘noncustomer’ files. There are two main paper stores at Heywood and Darlington and the
assessment team visited the main store at Heywood. Capita have managed this
service for DWP since 2004. There are 2-300 Capita staff on site at Heywood. The
KIRM team has oversight of Capita’s work – several members of the KIRM team are
based on site at Heywood and work closely with Capita staff. Files are tracked using
a digital system called Find and Retrieve Information Online (FARIO). Capita have a
99% success rate of being able to locate files. Non-customer files or ‘DRO’ files are
kept separately at Heywood. This helps to ensure that material that needs to be
reviewed is easily identifiable and helps the process of appraisal and selection run
46
smoothly. This is good practice. DWP are about to re-let the contract for storage
and management of corporate and customer information records.
The KIRM team carry out twice-yearly file audits where over 400 registries are asked
to provide lists of the registered files that they hold. These stopped for just under a
year but were started again at the end of 2014. At present these only cover paper
files. The KIRM team check these and if problems are found they are escalated back
up the management chain. Issues found include registered files not being closed,
registered files requested but not used and a general lack of registered files. It was
estimated that of the returns received in the last audit, around 80% of these showed
that the business areas were failing to manage their paper records in line with
Knowledge and Information Management (KIM) guidance.
The lack of corporate system for Electronic Records Management (ERM) means that
the oversight and control that the KIRM team has over paper records does not
extend to digital. For example, they do not have oversight of the shared drives which
are managed locally by business areas (see Section 2). DWP would benefit from
extending the paper file audits to cover digital information, in particular that on the
shared drives. See Recommendation 5.
Appraisal and selection
DWP has a team of four (three Records Management Advisors and a Reviewing
Manager) that is responsible for the appraisal, selection, sensitivity review and
preparation of files for transfer. The team work on all stages of the process rather
than just one area which helps to ensure knowledge transfer. The team are
experienced in appraisal and have built up a good knowledge of the history of DWP
which helps them to make well-informed decisions on what to select for permanent
preservation. There are clear criteria and guidance for reviewers on selection and
DWP also has an Operational Selection Policy. The review team are employing
macro appraisal techniques in line with The National Archives’ guidance and where
possible complete Series Level Appraisal Questionnaires (SLAQs) for file series in
order to understand what type of records the series contains. Once these are
47
approved these are used to ‘sift’ out files of no value for destruction. They carry out
spot checks to ensure that they are not getting rid of anything of value. The National
Archives Information Management Consultant (IMC) has been able to approve
reviews without need for regular rechecking. This is good practice.
Given that the organisation still runs a print to paper policy, there are no plans as of
yet to appraise and select information held within shared drives. The shared drives
are likely to contain information of corporate value that has not been printed off onto
registered files. DWP therefore needs to engage with their IMC and begin to devise
an approach for appraisal of information on the shared drives in order to identify
material of historical value that should be transferred to The National Archives. Some
of the macro techniques that it has applied to paper records can be adapted for this
purpose. It should also consider how it will apply appraisal and selection to any new
Electronic Records Management System (ERMS). DWP is a member of The
National Archives Digital Transfer User Group and are therefore aware and able to
learn from developments that other departments have made in the area of digital
appraisal and digital transfer generally. See Recommendation 6.
4.2 Implementing disposal decisions
Goal: The organisation understands the process for records disposal
and consistently implements decisions in line with defined plans.
Triggers for disposal
DWP generally has robust and effective procedures in place for the disposal of paper
files. Disposal information is added to the FARIO database for each file and Capita
carry out disposal of paper files on a daily basis. This is doubly important due to
pressure of space at the Heywood, particularly as they will be moving out of the
Darlington store in the near future. There is a backlog on disposal of Human
Resource (HR) records which is partly due to the outsourcing of some of the HR
function and partly due to resource. However, the issue had been discussed with the
DRO who was keen to find a solution.
48
Most of the benefits delivery systems have disposal built in although there are some
omissions. The KIRM team is working with those areas to address this. DWP should
ensure that all customer systems have a disposal function and that this is active. See
Recommendation 2.
Disposal of digital ‘non-customer’ information is more ad hoc and is generally done
at a local level, although central guidance on retention periods is available. For
example, business areas are responsible for disposal from shared drives and email
inboxes and users can delete posted information from Yammer. Although we found
evidence to suggest that some areas do this well, overall practice was found to be
inconsistent. Some interviewees reported that they regularly deleted records that
they no longer needed but many did not. There is a risk that key corporate
information could be lost through uncontrolled disposal or, on the other hand, that
DWP is keeping too much information. DWP should consider extending the paper
files audits to digital information and as part of this ask business areas to report on
disposal. See Recommendation 5.
Sensitivity review
Sensitivity issues for DWP are relatively straightforward in comparison to other
government departments in that they largely centre around sensitive personal
information. The review team is responsible for sensitivity review and takes a
decision on whether to close or redact depending on how much sensitive information
is in a file. For example if there is a lot of sensitive information that would require a
large amount of redaction, they will apply to close the whole file. If there is a small
amount of sensitive information (usually an individual’s name) they will redact and
close this information and open the rest of the file. DWP’s closure applications to the
Lord Chancellor’s Advisory Council are generally good and are approved without
queries. DWP has not yet considered how it will sensitivity review digital information
and needs to start developing an approach to this. See Recommendation 6.
Transfer and planning
49
DWP is currently ahead of target in terms of working towards the new 20-year
transfer rule and they have no legacy backlog, as demonstrated by the Records
Transfer Return figures for autumn 2014. It has a plan for review and knows exactly
what it needs to review and when it needs to have been transferred. It runs a
‘conveyor belt’, systematic process of appraisal, sensitivity review, cataloguing,
preparation and transfer. It currently has a large number of boxes awaiting
cataloguing and preparation checks from The National Archives which is having a
knock on effect on the space it has in order to start working on the next batch of files.
There were some issues with the standards of cataloguing and preparation with the
last batch of files transferred to The National Archives which led to a significant
amount of re-work and as a result The National Archives checks are taking longer
this time round. The KIRM team is fully engaged with The National Archives on these
issues and are exploring a resolution.
50